Black Arrow Cyber Advisory 02 July 2024 – Critical Vulnerabilities identified in OpenSSH, Juniper, and Apple App Development Supply Chain
Executive Summary
A critical security flaw that could allow unauthenticated remote code execution with root privileges has been discovered in the OpenSSH Server component when deployed in its default configuration. Critical vulnerabilities have also been discovered in Juniper Networks' ‘Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router’ product line. Additionally, vulnerabilities have been found within the CocoaPods dependency manager, which is used to manage library dependencies for many popular iOS and macOS applications. These vulnerabilities could allow attackers to claim ownership of thousands of unclaimed ‘pods’, enabling them to modify and insert malicious code into these dependencies.
Security updates have been released for the OpenSSH and Juniper vulnerabilities. Although the CocoaPods vulnerabilities have now been patched, developers are encouraged to verify the integrity of any open-source dependencies used previously within their applications, as these vulnerabilities have been present since a migration took place in 2014.
What’s the risk to me or my business?
If exploited, these vulnerabilities could compromise the confidentiality, integrity, and availability of data stored by an organisation. Specific information on each vulnerability is provided in the technical summary below.
What can I do?
Security updates are available for OpenSSH and affected Juniper products. These updates should be applied as soon as possible, especially for actively exploited vulnerabilities. It should be noted that where OpenSSH has been deployed into products managed by a hardware vendor, such as a firewall, security updates will need to be applied once released by the vendor. Software developers who rely on the CocoaPods dependency manager should verify the integrity of any dependencies, look to remove orphaned dependencies and should also conduct scans for malicious or suspicious code as part of secure development practices.
Technical Summary
OpenSSH
CVE-2024-6387: A critical race condition vulnerability may allow remote code execution with root privileges. This has been demonstrated in lab conditions to be successful after an average of 6-8 hours of continuous connections on 32-bit Linux systems. While 64-bit systems are believed to be exploitable, this was not demonstrated during testing. As OpenSSH is an included dependency for many different products, vendors will need to release their own security patches for these dependencies. Mitigation advice includes restricting SSH services to only be accessible from trusted sources or disabling the functionality if not required until a patch is available.
Further details on the OpenSSH vulnerabilities and individual vendor responses can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387.
Juniper
CVE-2024-2973: An Authentication Bypass Using an Alternate Path or Channel vulnerability with a CVSS 4.0 rating of 10.0 is present in Juniper Networks' Session Smart Router or Conductor running with a redundant peer. This allows a network-based attacker to bypass authentication and take full control of the device. The vendor advises that only Routers or Conductors running in high-availability redundant configurations are affected by this vulnerability and recommends that affected products be patched as soon as possible.
Further details on the vulnerabilities addressed can be found here: https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-Bulletin-Session-Smart-Router-SSR-On-redundant-router-deployments-API-authentication-can-be-bypassed-CVE-2024-2973?language=en_US.
CocoaPods
E.V.A Information Security conducted research into the CocoaPods dependency manager, often used in the development of iOS and macOS applications that rely on Swift or Objective-C languages. Over 3 million applications have used the dependency manager, and thousands of packages have been left exposed in a state where they could have been maliciously taken over since a migration in 2014 left these in an orphaned state, where the original owner was not confirmed. Malicious actors could use a public API and an email address to claim ownership over these packages, allowing them to alter or replace the source code with their own malicious code. Developers are advised to review the dependency lists and package managers used within their applications, validate checksums, perform scans for malicious code, and limit the use of orphaned or unmaintained packages.
Further details on the vulnerabilities can be found here: https://www.evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods